46cdc38806d00295bb3d6c87a2d06a3aefe648c8a1bb7e7aa54abe37019a96aa

Resubmissions

27-01-2024 18:29

240127-w44a4sheh7 8

27-01-2024 18:28

240127-w4jayabdcq 1

Analysis

max time kernel
284s
max time network
301s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
27-01-2024 18:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup_FileViewPro_2024.exe
Size

1.3MB
MD5

9462e2b4992e3ea63f3f04c499dc5a05
SHA1

9e57c55d9d51d6eabda71ffdfaf48709209943e2
SHA256

46cdc38806d00295bb3d6c87a2d06a3aefe648c8a1bb7e7aa54abe37019a96aa
SHA512

3f5d68ceeb34a24a91a2718e645564dbc2c6a75d018a517f9884f1a228140ee00f5108e00d43f3feeaf5f40cf391a44d81ec90fd63d445ecb1e3f2675dd3f13d
SSDEEP

24576:ih6SVFzDl6eZmL4v9IoYOlrQ14T1+G05hKwzlXX8l8whkwBY2/+WLHkO4H:K6UXtvDz85hK8XM8rcY/OI

Score

8^/10

evasion ransomware

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

000.exe

description	ioc	process
File opened (read-only)	\??\A:	000.exe
File opened (read-only)	\??\I:	000.exe
File opened (read-only)	\??\J:	000.exe
File opened (read-only)	\??\P:	000.exe
File opened (read-only)	\??\Q:	000.exe
File opened (read-only)	\??\S:	000.exe
File opened (read-only)	\??\Y:	000.exe
File opened (read-only)	\??\B:	000.exe
File opened (read-only)	\??\G:	000.exe
File opened (read-only)	\??\O:	000.exe
File opened (read-only)	\??\T:	000.exe
File opened (read-only)	\??\W:	000.exe
File opened (read-only)	\??\E:	000.exe
File opened (read-only)	\??\H:	000.exe
File opened (read-only)	\??\L:	000.exe
File opened (read-only)	\??\N:	000.exe
File opened (read-only)	\??\R:	000.exe
File opened (read-only)	\??\X:	000.exe
File opened (read-only)	\??\Z:	000.exe
File opened (read-only)	\??\K:	000.exe
File opened (read-only)	\??\M:	000.exe
File opened (read-only)	\??\U:	000.exe
File opened (read-only)	\??\V:	000.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs
ransomware

Defacement
T1491

Modify Registry
T1112

Processes:

000.exe

description ioc process

Set value (str) \REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000\Control Panel\Desktop\Wallpaper 000.exe
Drops file in Windows directory 2 IoCs

Processes:

svchost.exe

description ioc process

File created C:\Windows\INF\netrasa.PNF svchost.exe
File created C:\Windows\INF\netsstpa.PNF svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000\Control Panel\Desktop\Wallpaper	000.exe

description	ioc	process
File created	C:\Windows\INF\netrasa.PNF	svchost.exe
File created	C:\Windows\INF\netsstpa.PNF	svchost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

1520 taskkill.exe
3004 taskkill.exe

pid	process
1520	taskkill.exe
3004	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133508538801685310"	chrome.exe

Modifies registry class 2 IoCs

Processes:

chrome.exe000.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3196661410-1888440797-2304965013-1000_Classes\Local Settings	chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icon.ico"	000.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

3624 chrome.exe
3624 chrome.exe
1712 chrome.exe
1712 chrome.exe
Suspicious behavior: LoadsDriver 6 IoCs

Processes:

pid

4
4
4
4
4
616
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

chrome.exe

pid process

3624 chrome.exe
3624 chrome.exe
3624 chrome.exe
3624 chrome.exe
3624 chrome.exe
3624 chrome.exe

pid
4
4
4
4
4
616

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svchost.exechrome.exe

description	pid	process
Token: SeShutdownPrivilege	360	svchost.exe
Token: SeCreatePagefilePrivilege	360	svchost.exe
Token: SeLoadDriverPrivilege	360	svchost.exe
Token: SeLoadDriverPrivilege	360	svchost.exe
Token: SeLoadDriverPrivilege	360	svchost.exe
Token: SeLoadDriverPrivilege	360	svchost.exe
Token: SeLoadDriverPrivilege	360	svchost.exe
Token: SeLoadDriverPrivilege	360	svchost.exe
Token: SeLoadDriverPrivilege	360	svchost.exe
Token: SeLoadDriverPrivilege	360	svchost.exe
Token: SeLoadDriverPrivilege	360	svchost.exe
Token: SeLoadDriverPrivilege	360	svchost.exe
Token: SeLoadDriverPrivilege	360	svchost.exe
Token: SeLoadDriverPrivilege	360	svchost.exe
Token: SeLoadDriverPrivilege	360	svchost.exe
Token: SeLoadDriverPrivilege	360	svchost.exe
Token: SeLoadDriverPrivilege	360	svchost.exe
Token: SeLoadDriverPrivilege	360	svchost.exe
Token: SeShutdownPrivilege	3624	chrome.exe
Token: SeCreatePagefilePrivilege	3624	chrome.exe
Token: SeShutdownPrivilege	3624	chrome.exe
Token: SeCreatePagefilePrivilege	3624	chrome.exe
Token: SeShutdownPrivilege	3624	chrome.exe
Token: SeCreatePagefilePrivilege	3624	chrome.exe
Token: SeShutdownPrivilege	3624	chrome.exe
Token: SeCreatePagefilePrivilege	3624	chrome.exe
Token: SeShutdownPrivilege	3624	chrome.exe
Token: SeCreatePagefilePrivilege	3624	chrome.exe
Token: SeShutdownPrivilege	3624	chrome.exe
Token: SeCreatePagefilePrivilege	3624	chrome.exe
Token: SeShutdownPrivilege	3624	chrome.exe
Token: SeCreatePagefilePrivilege	3624	chrome.exe
Token: SeShutdownPrivilege	3624	chrome.exe
Token: SeCreatePagefilePrivilege	3624	chrome.exe
Token: SeShutdownPrivilege	3624	chrome.exe
Token: SeCreatePagefilePrivilege	3624	chrome.exe
Token: SeShutdownPrivilege	3624	chrome.exe
Token: SeCreatePagefilePrivilege	3624	chrome.exe
Token: SeShutdownPrivilege	3624	chrome.exe
Token: SeCreatePagefilePrivilege	3624	chrome.exe
Token: SeShutdownPrivilege	3624	chrome.exe
Token: SeCreatePagefilePrivilege	3624	chrome.exe
Token: SeShutdownPrivilege	3624	chrome.exe
Token: SeCreatePagefilePrivilege	3624	chrome.exe
Token: SeShutdownPrivilege	3624	chrome.exe
Token: SeCreatePagefilePrivilege	3624	chrome.exe
Token: SeShutdownPrivilege	3624	chrome.exe
Token: SeCreatePagefilePrivilege	3624	chrome.exe
Token: SeShutdownPrivilege	3624	chrome.exe
Token: SeCreatePagefilePrivilege	3624	chrome.exe
Token: SeShutdownPrivilege	3624	chrome.exe
Token: SeCreatePagefilePrivilege	3624	chrome.exe
Token: SeShutdownPrivilege	3624	chrome.exe
Token: SeCreatePagefilePrivilege	3624	chrome.exe
Token: SeShutdownPrivilege	3624	chrome.exe
Token: SeCreatePagefilePrivilege	3624	chrome.exe
Token: SeShutdownPrivilege	3624	chrome.exe
Token: SeCreatePagefilePrivilege	3624	chrome.exe
Token: SeShutdownPrivilege	3624	chrome.exe
Token: SeCreatePagefilePrivilege	3624	chrome.exe
Token: SeShutdownPrivilege	3624	chrome.exe
Token: SeCreatePagefilePrivilege	3624	chrome.exe
Token: SeShutdownPrivilege	3624	chrome.exe
Token: SeCreatePagefilePrivilege	3624	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

Processes:

chrome.exe

pid	process
3624	chrome.exe
3624	chrome.exe
3624	chrome.exe
3624	chrome.exe
3624	chrome.exe
3624	chrome.exe
3624	chrome.exe
3624	chrome.exe
3624	chrome.exe
3624	chrome.exe
3624	chrome.exe
3624	chrome.exe
3624	chrome.exe
3624	chrome.exe
3624	chrome.exe
3624	chrome.exe
3624	chrome.exe
3624	chrome.exe
3624	chrome.exe
3624	chrome.exe
3624	chrome.exe
3624	chrome.exe
3624	chrome.exe
3624	chrome.exe
3624	chrome.exe
3624	chrome.exe
3624	chrome.exe
3624	chrome.exe
3624	chrome.exe
3624	chrome.exe
3624	chrome.exe
3624	chrome.exe
3624	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
3624	chrome.exe
3624	chrome.exe
3624	chrome.exe
3624	chrome.exe
3624	chrome.exe
3624	chrome.exe
3624	chrome.exe
3624	chrome.exe
3624	chrome.exe
3624	chrome.exe
3624	chrome.exe
3624	chrome.exe
3624	chrome.exe
3624	chrome.exe
3624	chrome.exe
3624	chrome.exe
3624	chrome.exe
3624	chrome.exe
3624	chrome.exe
3624	chrome.exe
3624	chrome.exe
3624	chrome.exe
3624	chrome.exe
3624	chrome.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

Setup_FileViewPro_2024.exe000.exe

pid process

5092 Setup_FileViewPro_2024.exe
5092 Setup_FileViewPro_2024.exe
5092 Setup_FileViewPro_2024.exe
3496 000.exe
3496 000.exe

pid	process
5092	Setup_FileViewPro_2024.exe
5092	Setup_FileViewPro_2024.exe
5092	Setup_FileViewPro_2024.exe
3496	000.exe
3496	000.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3624 wrote to memory of 4664	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 4664	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 3512	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 3512	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 3512	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 3512	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 3512	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 3512	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 3512	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 3512	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 3512	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 3512	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 3512	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 3512	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 3512	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 3512	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 3512	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 3512	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 3512	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 3512	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 3512	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 3512	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 3512	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 3512	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 3512	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 3512	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 3512	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 3512	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 3512	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 3512	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 3512	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 3512	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 3512	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 3512	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 3512	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 3512	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 3512	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 3512	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 3512	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 3512	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 4524	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 4524	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 516	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 516	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 516	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 516	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 516	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 516	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 516	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 516	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 516	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 516	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 516	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 516	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 516	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 516	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 516	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 516	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 516	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 516	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 516	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 516	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 516	3624	chrome.exe	chrome.exe
PID 3624 wrote to memory of 516	3624	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Setup_FileViewPro_2024.exe
"C:\Users\Admin\AppData\Local\Temp\Setup_FileViewPro_2024.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:5092

C:\Windows\System32\SystemSettingsBroker.exe
C:\Windows\System32\SystemSettingsBroker.exe -Embedding
1⤵
PID:4740

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s RmSvc
1⤵
PID:2636

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s SstpSvc
1⤵
PID:3036

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:360

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s RasMan
1⤵
PID:4492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffa241e9758,0x7ffa241e9768,0x7ffa241e9778
2⤵
PID:4664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1656 --field-trial-handle=1848,i,1836936842472720610,8140637752126446728,131072 /prefetch:2
2⤵
PID:3512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1776 --field-trial-handle=1848,i,1836936842472720610,8140637752126446728,131072 /prefetch:8
2⤵
PID:4524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2096 --field-trial-handle=1848,i,1836936842472720610,8140637752126446728,131072 /prefetch:8
2⤵
PID:516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3168 --field-trial-handle=1848,i,1836936842472720610,8140637752126446728,131072 /prefetch:1
2⤵
PID:3296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3124 --field-trial-handle=1848,i,1836936842472720610,8140637752126446728,131072 /prefetch:1
2⤵
PID:2052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4516 --field-trial-handle=1848,i,1836936842472720610,8140637752126446728,131072 /prefetch:1
2⤵
PID:3356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4708 --field-trial-handle=1848,i,1836936842472720610,8140637752126446728,131072 /prefetch:8
2⤵
PID:4908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4692 --field-trial-handle=1848,i,1836936842472720610,8140637752126446728,131072 /prefetch:8
2⤵
PID:4548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 --field-trial-handle=1848,i,1836936842472720610,8140637752126446728,131072 /prefetch:8
2⤵
PID:3336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5096 --field-trial-handle=1848,i,1836936842472720610,8140637752126446728,131072 /prefetch:8
2⤵
PID:708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5044 --field-trial-handle=1848,i,1836936842472720610,8140637752126446728,131072 /prefetch:8
2⤵
PID:1912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5004 --field-trial-handle=1848,i,1836936842472720610,8140637752126446728,131072 /prefetch:1
2⤵
PID:804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2340 --field-trial-handle=1848,i,1836936842472720610,8140637752126446728,131072 /prefetch:1
2⤵
PID:4536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=2240 --field-trial-handle=1848,i,1836936842472720610,8140637752126446728,131072 /prefetch:1
2⤵
PID:1096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4716 --field-trial-handle=1848,i,1836936842472720610,8140637752126446728,131072 /prefetch:8
2⤵
PID:4648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4936 --field-trial-handle=1848,i,1836936842472720610,8140637752126446728,131072 /prefetch:8
2⤵
PID:3604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3180 --field-trial-handle=1848,i,1836936842472720610,8140637752126446728,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1712

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4528

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1792

C:\Users\Admin\AppData\Local\Temp\Temp1_000.zip\000.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_000.zip\000.exe"
1⤵
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""
2⤵
PID:3532

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im explorer.exe
3⤵
- Kills process with taskkill
PID:3004

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
3⤵
- Kills process with taskkill
PID:1520

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic useraccount where name='Admin' set FullName='UR NEXT'
3⤵
PID:2932

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic useraccount where name='Admin' rename 'UR NEXT'
3⤵
PID:5076

C:\Windows\SysWOW64\shutdown.exe
shutdown /f /r /t 0
3⤵
PID:1520

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3afd855 /state1:0x41c64e6d
1⤵
PID:4760

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\691bb362-7dda-4ef0-8676-df3445f3c4a9.tmp
Filesize
103KB

MD5
867a0d14b8efa308f4d20be05e81e43d

SHA1
d1916182ed026dca425a8f484f8b53846a8cc0bd

SHA256
f4b38561dd187ed760f7be94eea798268b945fa18529719ea546662f9e1159c5

SHA512
5b2ed2a2be274a8c867ced6b8144a97e83e3b77d5bebd17eaa769dafe3c37e717562dbddff73f51b292c376516fc97f34758d46c4beaf206f6d40a5282c85ca0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
966da2625ecaa98ff384c76c555e3a51

SHA1
1252d8bf120e7417d6d0c1465b8350277fde297e

SHA256
79e2741dc60024c509e129444dd67041d48c0ec3a554aa35eb879e7811cb2749

SHA512
ab782423936603219589de8f1f1d37134000b3be771dc21aa0aff9c69ed438ca42b6efb0ef1319cb5c473c8ec4405c7df8bfc9e8185b35c5745f2fdfb9827753

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
168B

MD5
97021724a507171658a7fcdbb848e026

SHA1
f2e6f21d2f0d57d398126ee1cc6b9b358459c640

SHA256
323ad3547b9165008236bd0c8bf9a8f2eab61883fb6f10b6e9436330ffbe0b54

SHA512
c92141c1384d5855160d22499886c01960ad3242a98aca32822273b36e370e25cbb0170199fb0c51865d155ab620eef2ec764e59af2ef90f2f53dac58e38ebaf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
34d074082c66feab10f47fe079be1d5a

SHA1
8403f53476b80a29823e7feacbb841bb662d502c

SHA256
695772c06cb018c6820fe3910dcf7e4af2e2ba48fc68a8fec1b63f4964d65754

SHA512
0e2df605537ae13725505a69a394248ea0f044b584fd0c21eb34b6be12a16f8e88c835693b3b03502cf57b80ae11e8633f4530d7ef791adb37dfa67ad762001f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
f4a9970eef58219fb9bf7702838a571a

SHA1
f94f889ec3b984d9499a64e86dab7e68c7435b42

SHA256
f2f3ad2b87c5660d4b5b6ea8d602717743f57d08491eb9f35cf7f3e135b1af56

SHA512
313757f4d97fc5307091b0198117ac94982e28eeddf6ac257da81ab296507bd458bd6dd48f1d17bd5c64e7e22e8c7bec31bc160972156e9d1dd71e41aa111bfc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
539B

MD5
0523e7a3c41f06da347330637f86ab51

SHA1
68697b97f756af338e175cf5b0a237f1271e4c43

SHA256
f0898ff60f3697df0c5a304e3378c29972fd258da88faac44270c7724f04072a

SHA512
5ba6f4f72607efd5a092f0fd168f25fe4d299aa6dfe90944b0edf9ea380eca6e0e15f7da52029d72264c7d446016e1088cb354841b8a6f6b2d8756a960ac26d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
aedd77352db66abeb73cc514d386692d

SHA1
79b98b4447e12838ee8ff8a8b8ca89c20d4cea8b

SHA256
b32ee613439ff5cc0544590cd12e7f52a443c0e8975de404fd06458dc731c8d0

SHA512
5d4b2ac33c2ddf9c342f6416292f5bbe78565a6363970d4a1c5fd538b90286700e982212b6f2095416124e587267bdd894c66d56017ea2eddea51de9f53faa7f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
539B

MD5
afadfb3885e368d4d9a14dcf8acaba92

SHA1
76f77bf57f88e28d171960f60878af4d962f7e0e

SHA256
642807e165d5760dbfb5b0d664234ae97db4a013b7ff7f06500ffde2a9bc0b8f

SHA512
b7f37d0c9529d8edd61ad5e8f117dff2c2499239b3a3402c918cb9aa67ce063176621cfeb878c2a8f20444476eb0f23d5789abcdbe1e55d7160e97cebbf75512

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
539B

MD5
347214d2f18c671d4e70f9ce16029509

SHA1
452dd9e6aa9df82d4ec3122fb10a64dd02fd4bb8

SHA256
60ed96c83960dd7863189f2d0308802b590cd2b8be47dde0d4e5472444c50651

SHA512
2621dd997f338f9b649023b3fc4780c22f8f4032cb520df1f831e5229b1714c60461e2ea1bc5c0ac7efa3a3eb27e54c56280ce0492b02afb3dd90f98d11f76b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
723624e6485f46e01ebc0c73c190a6c2

SHA1
4ccf202d544f0435117c637e9391efa0b969ee59

SHA256
63a77212f66a6f785c27205fdb275bc1ab6ba62c26e87ff8e05f24d7d82d7bdf

SHA512
6e625e071db70050cbd1ac0d8be77c19eed3ce88a50e98964ee5aabec67ef331176b956c9f99a25e3221c1486510970afd0110885e5a6a2478d724c37af41708

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
38c9f617179920ff56f2a315bc2dba31

SHA1
df72619479d96488d1edd14ee6e347c7f1fb07af

SHA256
b5f13de5c435d87100445c51234c5a929867433e809f82eb4a296bec821eb2b7

SHA512
f51b66405e29d9b68e03d7943bb91a72e0348188e2ff3ec00fc6ff7ab6d27f5dcb84dfeea8d7a3f98e677ed68fac1150e35dca1afec84798443c277df160d354

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
d739933a716487634f6ac27d1d790f24

SHA1
f74612833a9f519d4a9f10b6a9619c1cb0a2ef2b

SHA256
e2a0ab7fb528ac8192382017b105125c50c9e4f1ce2073febb292e861d83a2ca

SHA512
501667583446a93bc5a203802ab05a4c342e9724840e94e4b785ab7a65ba8e8722e551db1a0882d656ed856d818cead2ac6630b9647902a705f3fb5406b5afd7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
ae41af3d8e578226ba136eaba7bf3ced

SHA1
fa5049483b1149d77b5de75f925f24c33637eefc

SHA256
a0b63d68dd75582a803c0fbc9b498ff85983b6b08a597cc20b29975b3b1d03ff

SHA512
aaacc23f11ab2e56eee59ad6ebae6377bd58cd25dce6c666a965ac39f9840f9b841797977c5538e7665f341298bcd27c0ab37c8bcec6a4ce4d12de4024f47151

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
5df0c7be8b547053f5dc622f002d2d3f

SHA1
32133649a9769351e30f4a1d675cd21f9639b5b2

SHA256
a8c865a0f6f7d1eb2d99d244c421b739dae770f07a87b6890400bdd9e1dbd12b

SHA512
512c283f4576d314c27f38fa403642ed2f7beee5c981a4d7898f2c3b0a18a9169f94e0206bc297e24f22af509beb4b8f61f9e475acf032e7da6e956841820e8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
20015feaa658e0c96e9f1bde40c955c4

SHA1
bea37cc1d492342c54e4429c9b18ff5626aea14e

SHA256
209268cb481f540a47cbe1700ee544129b3eeabdd1bd5cb2a6442e09602922b0

SHA512
61ffbd19c71c7aa366a4d13210dc74ce3896607b4dea3681e60934a44934b1bed18ed4f2cad5a4ade7a56087d88c39973540226201f511d84a3ea4ec216e8098

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
1ceb9fc6d11df29a5a9b17ad4438e0fb

SHA1
381b6a64dd659c78ebecbe29453c4f20e3486651

SHA256
9399dcc36629495c12e9a88bd4c11a2b3002bd12d3d8702d1bf9a06c45b2e3e9

SHA512
6b718b1d14f62051abcd45a989956017430893e40a245add5fc30f838cc70e463478ad839410158ab78151329f7c65c11695f98c291ed8ce372991967b209cc4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
12KB

MD5
11bc68a937de25cc684de35ea69a0984

SHA1
532f9dd85a87acb1e0bbf272958496b81649a7ca

SHA256
452200395429b808a10f70869e99b6dd687e683137a36ea25479f56df9ff2303

SHA512
d3bb414a8c9a8afa957c6db7e547c9dbb728e9e62629d019652521f86879ce0b1fd4ae56db021c17fa171588cb806a0ec690b23adbc4cc28e76e59638f7a16af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
231KB

MD5
a6fb96601f4a4cf9a4a8539fde64aea3

SHA1
12435ed2c32ef232e0b33ef272859e99aa5a63fd

SHA256
166a56a395512dae437309c0880faaeb0be08ea51b2e7477dfb18fcda7df184c

SHA512
00961181d0bcb64e71b91a08c575802dfb734e2039c38a17fc48fad72d452e9bee7c169e70811d4b72f12e97138a7c3037797b62853874ddae97e0ca79b31dbc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
231KB

MD5
6b6460705e9a9df7f3ac62f99042efde

SHA1
2b2183ed1ee55253e965a773e7604d56aaaf0d49

SHA256
e3e8ad7b3bda69fd1c5f03aaad94ab5b9dc4f1cb070a39f39b5fc0d9c1648926

SHA512
8d2f269b64f7a0f12c21bc56c27003865fc10df0262bfe6c809bd446d33f6fd46735b9b5edb68042b72ad7de7c61b332765bb6910ff6cb40e6db798f3fcc7791

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5a46bf.TMP
Filesize
92KB

MD5
0d8e5947778ab0dc752c073f5200b484

SHA1
7a98a936f4a22dc392da917c7fdb3d8741cc684c

SHA256
ed9edbbe313f70a469ef8ad6fdd6c221de449c8190fd32ff5ca5d9efd20dd8dc

SHA512
98feba4e14ef8da561a838aa1460d4e054241144c5e7150554f7fcf9f409103fa0be321b8b510dc68becd9bacfc60da6c77583231b8d78ce96b2594c0b047d04

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
Filesize
896KB

MD5
a88227b5e6f8af2c772293e8e912a147

SHA1
ce1d916ba5f8a34edde8279376b30dd21a09e955

SHA256
d83321af28485f1c070e8fcb815a0eed94acc72b8b38f91e891fe88c740fbdcd

SHA512
bb821d30db520682ac02f7c61c1b08e33480ebc229727bcaed4915ca8e620905c1008372118095cd2e28505afabb6efb9c6846e4abaa7c6e8721be4d89ed49a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
Filesize
896KB

MD5
523d8edabc55cad5378675f80eaf0753

SHA1
884302eadf3b7134ee6a30dbbb29b785a37c2def

SHA256
b73d09abf78d92ec6de4aebdf3096968b9e7fc2462988ae20266574caf36e73e

SHA512
b150404f76c49c104d6e0ef57884a769e2727da5976cffaa8d5d18510c2ca19dd861709e0f282ddca75ceb9ab20ac0388d4ea61d7a1d07a2ad4e1d16c6ce2952

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.2\WMSDKNS.XML
Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\one.rtf
Filesize
403B

MD5
6fbd6ce25307749d6e0a66ebbc0264e7

SHA1
faee71e2eac4c03b96aabecde91336a6510fff60

SHA256
e152b106733d9263d3cf175f0b6197880d70acb753f8bde8035a3e4865b31690

SHA512
35a0d6d91178ec10619cf4d2fd44d3e57aa0266e1779e15b1eef6e9c359c77c384e0ffe4edb2cde980a6847e53f47733e6eacb72d46762066b3541dee3d29064

Download Submit
C:\Users\Admin\AppData\Local\Temp\rniw.exe
Filesize
76KB

MD5
9232120b6ff11d48a90069b25aa30abc

SHA1
97bb45f4076083fca037eee15d001fd284e53e47

SHA256
70faa0e1498461731f873d3594f20cbf2beaa6f123a06b66f9df59a9cdf862be

SHA512
b06688a9fc0b853d2895f11e812c48d5871f2793183fda5e9638ded22fc5dc1e813f174baedc980a1f0b6a7b0a65cd61f29bb16acc6dd45da62988eb012d6877

Download Submit
C:\Users\Admin\AppData\Local\Temp\windl.bat
Filesize
771B

MD5
a9401e260d9856d1134692759d636e92

SHA1
4141d3c60173741e14f36dfe41588bb2716d2867

SHA256
b551fba71dfd526d4916ae277d8686d83fff36d22fcf6f18457924a070b30ef7

SHA512
5cbe38cdab0283b87d9a9875f7ba6fa4e8a7673d933ca05deddddbcf6cf793bd1bf34ac0add798b4ed59ab483e49f433ce4012f571a658bc0add28dd987a57b6

Download Submit
C:\Users\Admin\Desktop\UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR N1XT.txt
Filesize
396B

MD5
9037ebf0a18a1c17537832bc73739109

SHA1
1d951dedfa4c172a1aa1aae096cfb576c1fb1d60

SHA256
38c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48

SHA512
4fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f

Download Submit
C:\Users\Admin\Downloads\000.zip.crdownload
Filesize
119KB

MD5
f5d73448dbe1ec4f9a8ec187f216d9e5

SHA1
6f76561bd09833c75ae8f0035dcb2bc87709e2e5

SHA256
d66c4c08833f9e8af486af44f879a0a5fb3113110874cc04bd53ee6351c92064

SHA512
edbdc1d3df9094c4e7c962f479bb06cdc23555641eeb816b17a8a5d3f4d98f4d1d10299fd2f9152d30e3fa9e5b12c881fd524e75612e934b287109492ee1520b

Download Submit
C:\Windows\INF\netrasa.PNF
Filesize
22KB

MD5
80648b43d233468718d717d10187b68d

SHA1
a1736e8f0e408ce705722ce097d1adb24ebffc45

SHA256
8ab9a39457507e405ade5ef9d723e0f89bc46d8d8b33d354b00d95847f098380

SHA512
eec0ac7e7abcf87b3f0f4522b0dd95c658327afb866ceecff3c9ff0812a521201d729dd71d43f3ac46536f8435d4a49ac157b6282077c7c1940a6668f3b3aea9

Download Submit
\??\pipe\crashpad_3624_CHLJIKYTGVBTZUMK
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3496-357-0x0000000005F00000-0x0000000005F10000-memory.dmp

Filesize
64KB

Download
memory/3496-386-0x000000000C540000-0x000000000C550000-memory.dmp

Filesize
64KB

Download
memory/3496-389-0x000000000C540000-0x000000000C550000-memory.dmp

Filesize
64KB

Download
memory/3496-388-0x000000000C540000-0x000000000C550000-memory.dmp

Filesize
64KB

Download
memory/3496-387-0x000000000C540000-0x000000000C550000-memory.dmp

Filesize
64KB

Download
memory/3496-383-0x000000000C540000-0x000000000C550000-memory.dmp

Filesize
64KB

Download
memory/3496-390-0x000000000CF50000-0x000000000CF60000-memory.dmp

Filesize
64KB

Download
memory/3496-394-0x000000000CF50000-0x000000000CF60000-memory.dmp

Filesize
64KB

Download
memory/3496-395-0x000000000CF50000-0x000000000CF60000-memory.dmp

Filesize
64KB

Download
memory/3496-396-0x000000000C540000-0x000000000C550000-memory.dmp

Filesize
64KB

Download
memory/3496-393-0x000000000C540000-0x000000000C550000-memory.dmp

Filesize
64KB

Download
memory/3496-392-0x000000000C540000-0x000000000C550000-memory.dmp

Filesize
64KB

Download
memory/3496-384-0x000000000C540000-0x000000000C550000-memory.dmp

Filesize
64KB

Download
memory/3496-377-0x000000000C560000-0x000000000C598000-memory.dmp

Filesize
224KB

Download
memory/3496-366-0x0000000005F00000-0x0000000005F10000-memory.dmp

Filesize
64KB

Download
memory/3496-391-0x000000000CF50000-0x000000000CF60000-memory.dmp

Filesize
64KB

Download
memory/3496-358-0x00000000064B0000-0x00000000069AE000-memory.dmp

Filesize
5.0MB

Download
memory/3496-356-0x0000000000E50000-0x00000000014FE000-memory.dmp

Filesize
6.7MB

Download
memory/3496-355-0x000000006F960000-0x000000007004E000-memory.dmp

Filesize
6.9MB

Download
memory/3496-1253-0x000000006F960000-0x000000007004E000-memory.dmp

Filesize
6.9MB

Download